Clearly, a regular and frequent update regimen alone wouldn't solve this problem of laggy Apple patches, but it would provide a clear set of deadlines and target dates for Apple's security team.

You have to think, "That would surely do no harm."

By the way, we recommend applying this round of updates sooner, rather than later.

The patches fix multiple holes on all platforms, including some attacks that can be combined dangerously, such as bypassing Address Space Layout Randomisation (ASLR), escaping from sandbox protection, getting control of the browser with booby-trapped JPEG (image) files, and grabbing almighty system power from an otherwise unprivileged process.

A remote code execution bug that can be triggered by a web-borne image to give an external attacker administrative privilege...

I think part of the problem is that Apple tend to wait until they have several security fixed lined up, and then package them together and put them out as one update. In contrast, Microsoft's security and stability patches tend to be more granular - ironically, there are now fewer Service Pack releases than there were with previous Windows versions.

Given that Snow Leopard seems to have dropped off the list of supported versions of OS X, I'm wondering if the reason for the delay in Apple's security fixes is due to having to do regression testing against several operating system release, moreso if you include the parts that are shared with iOS and Apple TV. Perhaps Apple will 'solve' this problem by starting to move support for Lion and Mountain Lion off stage left. This seems probable, given their moves to persuade as many people as possible to upgrade to Mavericks.

You can be as sarcastic as you like, but Apple would indeed do well to follow in Microsoft's footsteps when it comes to patching.

Microsoft has delivered ever-more reliable, rapid and effective patches every month for ten years, with additional emergency updates as needed. Microsoft has also been pretty clear about end-of-life dates for its products.

"Microsoft has delivered ever-more reliable, rapid and effective patches every month for ten years, with additional emergency updates as needed."

Since I have used and had to rely on both operating systems for many years, I feel that statement tells only part of the story - because the errors and glitches Microsoft is always working to patch are, by and large, far more serious and more frustrating than Apple's. And some Window's messes are not successfully patched for years, and persist through OS versions, e.g. deleted or moved desktop icons constantly reappearing on restart; damaged or "lost" user profiles, etc. etc.

To be clear: I am talking about security patches rather than functionality patches.

Also, if you are going to claim that Microsoft's bugs are "far more serious" than Apple's (at least from a security point of view), I feel you ought to offer some examples as evidence. Apple's vulnerabilities seem serious enough to me - look, for example, at the CVEs I listed above patched in Mavericks alone this time. (JPEG file format vuln + kernel privilege escalation vuln + sandbox escape.)

Microsoft has had some bad holes, to be sure (the vulnerability used in the Stuxnet virus is a good example), but I am not convinced they are "by and large far more serious." I think that's a false sense of safety if you're a Mac user.

Not sure how you jumped to the conclusion, from anything I said, that Mac users somehow suffer from "a false sense of security" although I do have an "impression" that Mac users enjoy a greater sense of contentment and satisfaction according to most surveys; but all these measures of how Mac users and Windows users and cross-platform users "feel" or "sense" are really simply subjective opinion, aren't they? Really not something capable of being accurately measured, unless perhaps we would subject all computer users to taking something like the Minnesota Multiphasic Personality inventory, right? And what a monumental waste of time that would be.

I'm not jumping to that conclusion. I'm saying that if you make such a strong claim as that "Microsoft's errors are far more serious", then you run the risk of giving Mac users a sense that Apple's security errors are in general less dangerous, and thus you may very well create a false sense of security. Such is the nature of better/worse comparisons, even if you meant to imply that Apple was indeed bad in absolute terms, but Microsoft merely worse.

So, since you're on the topic of subjectivity: where's your *objective* evidence that Microsoft needs to put out more patches because its software has "far more serious" flaws?

I'm not saying you're wrong, but I don't think you should expect me or anyone else to accept such a bold claim without evidence. I *think* I put that pretty clearly when I said above, "I feel you ought to offer some examples as evidence."

Apple has communicted that it will support always the 3 most current versions of OS X. For now those are 10.7, 10.8 and 10.9. After the release of the next version (10.10; rumored to be released this October) the support for 10.7 will be dropped.

Ah! Good. Do you have a link for that communique, most importantly to the part that says versions more than 3 behind are *not* supported? I've really struggled to find an official "yes we do/no we don't" message from Apple itself...

Please let me add some thoughts.I ran an iMac 2011 with 10.6.9 until last month.Apple installed an app through apple update that prompted me to install Mavericks as the security update for snow leopard.Rather do a clean install, and lacking time machine capability, I traded the old iMac at the Mac dealer for a tidy sum.There was no doubt In my mind support for snow leopard has ended.The Mavericks update is free as it is the security update. It should be plainly understood that support for snow leopard is over.It was supported for four years.Next year probably all will go except Mavericks.Thanks for letting me express my views here. I was a snow leopard user and also hated to see it go.

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog